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Abstract 

We describe a method for private database queries using exchange of 
quantum states with bits encoded in mutually incompatible bases. For 
technology with limited coherence time, the database vendor can an- 
nounce the encoding after a suitable delay to allow the user to privately 
learn one of two items in the database without the ability to also defi- 
nitely infer the second item. This quantum approach also allows the user 
to choose to learn other functions of the items, such as the exclusive-or of 
their bits, but not to gain more information than equivalent to learning 
one item, on average. This method is especially useful for items con- 
sisting of a few bits by avoiding the substantial overhead of conventional 
cryptographic approaches. 

1 Introduction 

Quantum information processing [25] provides potentially significant perfor- 
mance improvements over conventional techniques. One example is quantum 
computation with its ability to rapidly solve problems, such as factoring [2"T] . 
which appear to be otherwise intractable. However, implementing machines 
with enough bits and coherence time to solve computational problems difficult 
enough to be of practical interest is a major challenge. Another application, 
quantum cryptography, is feasible today for exchanging keys over distances of 
tens of kilometers. A third application area is to quantum economic mecha- 
nisms, which can offer benefits with only a few qubits which should be feasible 
to implement relatively soon. 

Early quantum information technology is likely to be characterized by few 
operations before decoherence, limited ability to store coherent states and com- 
munication involving limited entanglement, particularly restricted to pairwise 
entangled states. Such limited technology will not provide significant computa- 
tional advantages over conventional techniques. Nevertheless, limited quantum 
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information capabilities provide alternative economic mechanisms for situations 
benefiting from correlated behaviors among participants and the information 
security provided by quantum states. Examples include provisioning public 
goods [5J HHj ! coordinating random choices without communication [T^l [H] and 
auctions [10, 8 . These economic methods can function with limited quantum 
information technology, but do not require it. In contrast, the private database 
query method described in this paper relies on the difficulty of maintaining 
coherence for long times to be economically viable. 

Privacy-enhanced mechanisms can be instrumental in encouraging beneficial 
transactions in situations where participants face economic or other costs if their 
information is revealed to others. Examples based on cryptographic methods 
include allowing long-term surveys on sensitive social or medical topics |llj and 
auctions [23) . The problem treated in this paper arises when a user wishes to 
purchase some information from a vendor without revealing what information 
is desired, but also not paying for additional information (e.g., purchasing the 
entire database). 

In the remainder of this paper, we first describe the private database query 
problem in its most basic case: selecting one of two bits. We then prove, by 
applying the generalized entropic uncertainty relations proven in [T7], that the 
user can learn at most one bit under the assumption that maintaining coherence 
beyond a limited time is not possible with the technology available or too costly 
compared to the economic value of the information. We then briefly consider 
the generalization to larger databases with many bits of information on multiple 
items, and conclude with a discussion of possible applications. 

The mechanism provided here differs from providing private information 
exchange with cryptographic methods (i.e., learning exactly one bit and nothing 
more), or quantum attacks relying on more advanced quantum technology such 
as creating and storing entangled states until completing the protocol |16j . This 
illustrates the importance of understanding plausible capabilities of adversaries, 
especially in the context of an emerging technology where advanced capabilities 
are likely to be too expensive (or not available) to justify the cost compared to, 
say, just purchasing the additional information from the vendor. 

The problem we deal with in this paper is known as symmetrically private 
information retrieval (SPIR) or oblivious transfer (OT) in the cryptography 
community. We refer to [6] for an excellent survey of the subject. In the classical 
computation model, one can achieve computationally secure SPIR with a single 
server under appropriate computational hardness assumptions [151 [31 1221 120] . 
When there are multiple servers which do not communicate with each other, 
one can design information theoretically secure SPIR [7| . The emphasis in those 
studies is on reducing the communication complexity. 

Quantum channels allow reducing the communication complexity in the case 
of more than one server |14j . The method studied in this paper only uses one 
way communication from the vendor to the user. Therefore, the privacy of the 
user is guaranteed, and only the privacy of the vendor is of concern. In such 
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a model, if the length of the database is n bits, the vendor must communicate 
Q(n) bits of information, and it is impossible to guarantee the vendor's privacy 
in the information theoretic sense even with prepared entangled states between 
the vendor and the user [2H Q]- In this paper, we show that when the user 
can only store entangled states for a short time, we may achieve information 
theoretic SPIR. This has similar flavor to the previous study in which the user 
is memory constrained [2]. 



2 One out of two exchange 

In this section, we consider the case when the vendor has a database of two 
items, each with m bits, and wishes to deliver one and only one item to the user 
according to the user's private choice, which is not revealed to the vendor. 

The vendor picks an encoding for the value of each message, represented 
as 2m bits. These bits are sent to the user who then must measure them, 
in some choice of basis, and wait for the vendor to announce the choice of 
encoding. Knowing the measurement outcome and the encoding allows the 
user to determine all m bits of one item. To prevent the user from learning 
both messages (with probability 1), it is important that the user's measurement 
take place before the vendor announces the encoding - otherwise the user could 
invert the operator producing the announced encoding and recover both items. 
The protocol ensures this based on a limited coherence time of the available 
technology - the vendor simply waits until well past the coherence time before 
announcing the encoding choice. 



2.1 Single bit exchange 

As an illustrative example, consider a database with two items, each with one 
bit of information (e.g., a recommendation to buy or sell a company's stock). 
The vendor selects two maximally incompatible measurement bases: 

|0>, |1> (1) 

and 

-L(|0) + |1)), ;^(|0>-|l» (2) 

The vendor encodes the database into a superposition of the two bits such that 
measurement in these bases reveals the bit value corresponding to the first or 
second item in the database, respectively. 

To do this, the vendor encodes the value for each item in two bits, randomly 
choosing one of two encodings. For the first encoding, the vendor specifies the 
first and second bits using the first and second of these bases, respectively. The 
superposition sent to the user is one of the following, according to whether the 
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database values are 00, 01, 10 or 11, respectively: 

^(100) + |01)) 
^(100) -|01)) 
^=(|10> + |11» 
^=(|10>-|11» 

The second encoding specifies the bits using the same bases, but forms the 
superposition of the two bits in the opposite order. The corresponding super- 
positions for database values 00, 01, 10 or 11, respectively, are: 

-^=(|00> + jl0>) 

-^=(|00> - iio» 

^=(|01> + |11» 

^(loi) -in)) 

The user can obtain the single bit associated with either item by electing to 
measure in one of the two announced bases. 

For example, suppose the bit values in the database are 01. If the vendor 
chooses the first encoding, the user receives the state \ip) = (|00) - |01>)/V2 
as represented in the first basis. Measurement in the first basis gives either 00 
or 01, and the user will use this measured result to learn the value for the first 
item is once the vendor announces the choice of encoding. Expressed in the 
second basis, the state \ip) is ( 1 01) + |ll))/\/2- Thus choosing to measure in 
the second basis gives the user either 01 or 11, which specifies the value of the 
second item is 1. 

On the other hand, if the vendor chooses the second encoding, the user 
receives the state \<j>) = (|00) — |10))/\/2. Measurement in the first basis gives 
either 00 or 10, and the user will learn the value for the first item is (based on 
the 2nd bit of either of these outcomes) once the vendor announces the choice of 
encoding. Expressed in the second basis, the state \(f>) is (|10) + |ll))/\/2- Thus 
choosing to measure in the second basis gives either 10 or 11, indicating the 
value of the second item is 1 (based on the 1st bit of either of these outcomes). 

In either of these cases, the measured outcome in one basis gives no infor- 
mation on the value of the item associated with the other basis. 

The user could instead choose any other basis for the measurement, or even 
use different bases for the two bits. Such choices can reveal a function of the 
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bit values for both items, e.g., their exclusive-or. That is, the user could learn 
whether both bits in the database are the same without learning anything about 
their values (e.g., which could be used as a recommendation regarding a joint 
derivative instrument on both companies, such as a recommendation of whether 
they will both change in the same direction). However, as described below, no 
choice of basis allows the user to learn more than one bit of information about 
the database, on average. Thus in contrast to conventional (i.e., cryptographic) 
methods for private database query, the user has a wider set of options than 
just picking one of the database bits to learn. 

If the user knows the encoding used by the vendor, then instead of selecting 
a basis to measure the states, the user could apply the inverse of the 2-qubit 
encoding operation to produce values for both bits in the database upon final 
measurement. However, doing this using the wrong encoding gives no informa- 
tion about either bit. Thus with limited coherence time, the vendor simply waits 
longer than that interval before announcing the choice of encoding. In that case 
the user must make a measurement before learning the encoding. After learning 
the encoding, the user would then know whether both or neither of the bits are 
revealed, but would no longer have the original quantum state. Each alternative 
occurs with probability 1/2 so, on average, only one bit of information from the 
database is revealed. The question now is whether there exists some basis for 
the user to learn more than one bit of information. We show this is impossible 
in the following sections. 

2.2 General formulation 

Suppose the vendor has two one-bit values, d and d\. These two values specify 
the vendor's database state d — \dod\). The vendor has two encoding operators 
acting on the two bits of the database, specified as 4 x 4 encoding matrices 
Eq and Ei. These matrices are unitary, i.e., E\ = E^ x where E\ denotes the 
adjoint (i.e., complex conjugate transpose) of Ei. The vendor announces these 
two operators to the user. 

The vendor then randomly picks one of the two encodings, say Ei, and sends 
the state e = E t d to the user. That is, e is column d of the encoding matrix E^. 
The user selects a measurement basis, given as the columns of a unitary matrix 
M. This measurement is a standard projective or von-Neumann measurement. 
We consider the more general POVM case in Section [2T4l Thus the user measures 
the state Me, obtaining outcome j with probability P(j\d,i) = |(Me)j| 2 = 
\(MEi)j,d\ 2 , conditioned on the vendor's choice of encoding i and the value 
of the database d. The user is free to choose any basis, but selects M and 
performs the measurement without knowledge of which encoding the vendor 
selected. After the measurement, the vendor announces the encoding choice i. 

From the observation j and choice of encoding i the user can use Bayes' 
theorem to obtain a posterior probability distribution over the values of the 
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database. Specifically, 



p(d\n)- (3) 

where P{d) is the prior distribution on the database, and the last expression 
follows from our assumption this prior is uniform, i.e., P(d) — 1/4 is independent 
of d. The sum in the denominator is J2d' \{MEi)j t d'\ 2 = 1 since the matrix MEi 
is unitary. Thus the user's knowledge of the database, given by the distribution 
on the values d, is P(d\j,i) = \(ME t )j^ d \ 2 . 

The uncertainty in the user's knowledge of the database after this procedure 
is the entropy of this distribution, hjj = H({P(0\j, «),..., P i)}) where for 
a probability distribution P = {po, . ■ . ,p n -±}, H(P) — — J2kPk^°EPk is its 
entropjQ. 

Since each encoding choice is equally likely and not known to the user at 
the time of measurement, on average the user's remaining uncertainty about 
the database is hj = (hj t o + hj t i)/2. The entropy of the prior distribution, 
i? (1/4, 1/4, 1/4, 1/4) = 2 so the amount of information the user gains, averaged 
over the vendor's choice of encoding, is 2 — hj. That is, this is the expected 
value of the reduction in the user's uncertainty (i.e., entropy) of the inferred 
distribution over the database items when the vendor chooses each encoding 
with equal probability. 

To bound the user's information gain, we need a lower bound on hj. We 
obtain such a bound as a special case of the generalized entropic uncertainty 
relations [T7]. For a complex unit vector u — (uo, . . . , u n _i)* <G C™, define 
H 2 {u) = H(\u \ 2 ,- ■ ■ , |-u n _x| 2 ) = - Y, t Pi\°SPi where p t = \u t \ 2 . For any two 
n x n matrices A and B, let c(A, B) = L X (AB), where L oa (X) is the infinity- 
norm for a matrix X, i.e., L oc (X) = max^j In [17] . it is shown that 



Theorem 2.1 \ 17$ For any vector u and unitary matrices A and B, 
H 2 {Au) + H 2 (Bu) > -2 log c(A, B) . 

In particular, suppose AB is a Hadamard matrix — annxn matrix W = (toy ) is 
a Hadamard matrix if W is unitary and if \uiij \ = 1 j \fn. Then c(A, B) = 1/ ^/n 
and H 2 {Au) + H 2 (Bu) > logn. 

To apply this bound to our case, let = e^MEo and — e^MEi where ij 
is the unit vector with (ej)j = 1 and (ej)^ = for k ^ j. Then u d = (M£Jo)j,d 
so P(d\j, 0) = \u d \ 2 and, similarly, P(d\j, 1) = \v d \ 2 . We have v = e\e u, so 
taking A to be the identity matrix and B = E\E q we have 

H 2 (Au) + H 2 (Bu) = H 2 (u) + H 2 (v) = h jfi + h jtl 



1 Throughout the paper, all the logarithms are base 2 unless explicitly stated. 
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and so hj > — logc(7, eIEq) from Theorem 12. II This bound is independent of 
j, i.e., the particular outcome the user measures. 

Thus if the vendor's choice of encodings have E[Eq a Hadamard matrix, and 
the user starts with a uniform prior distribution for the n states, with H = logn, 
the average information gain for the user is 



-fgain = log n - hj < log n - log -|= = i log n 



(4) 



The encoding matrices corresponding to the example in Section [2. II are Eq, 
Ei equal to 
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respectively. The encoding E\ includes the permutation of the bits of the 
database. E\Eq has all entries equal to ±1/2, i.e., is a 4 x 4 Hadamard matrix. 
Thus, from Eq. [5] with n = 4, the average amount of information the user gains 
is at most one bit. Moreover, this bound is tight: the measurement examples 
described in Section 12.11 provide the user one bit of information. 

Note the bound applies to the expected information gain, averaged over the 
choice of encodings. As described in Section [2~T1 the user could choose to invert 
one of the encodings, e.g., take M = Eq. If the user correctly guesses the 
encoding used by the vendor, this procedure gives the user both bits of the 
database, i.e., hjfi = 0. But if instead the vendor selected E\, the measured 
outcome is completely uninformative, with hj,i = 2. So the average of these 
equally likely possibilities, hj = 1, satisfies the bound. 

Thus we establish that a vendor, using maximally incompatible bases for 
encoding bits, can arrange for the user to learn no more than one bit of infor- 
mation, on average, about the two bits in the database. 



2.3 Multiple-bit exchange 

Theorem l2 . II applies to vectors with any number of components n, not just n = 4 
as used for the single-bit database items illustrated in Section 12.11 It is well 
known that for any m > 0, there exist 2 m x 2 m Hadamard matrices. The stan- 
dard construction is = W2 <8> W2 <8 ■ • • ® W%, where W2 = -7= 



Hence, we can generalize the above scheme to exchanging two items, each with 
m bits. 

Suppose that the vendor has two messages do,di, each with m bits. Let 
1 = 2 m . Pick unitary I x i matrices Aq and A\ such that A\A\ is Hadamard. 




7 



Thus A\Ao is also Hadamard. Let Co = Aq ® A\, C\ = A\ ® A Q and P be 
the permutation matrix to reverse the order of the items, i.e., mapping d^di to 
dido- The vendor's encoding operators are then E = Co and E\ = C\P. That 
is, for the first encoding, the vendor sends the column of Co indexed by dodi 
and for the second encoding sends the column of C\ indexed by dido, as in the 
single bit example. With this formulation, the discussion of Section |2~21 applies 
directly to this case. 

Let Mj = Aj ® At for j = 0, 1. It is easy to verify that MjCi is the tensor 
product of two £ x I matrices with the ((j — i) mod 2)-th component being the 
identity matrix. This is coincident with the position of item dj in the permuted 
string when the vendor uses the encoding matrix C. Therefore, if the user 
applies the measurement Mj and later receives the value of i, he learns dj with 
probability 1, regardless of which C the vendor uses. 

We observe that 

E\E = P^CtC = Pi ((A\A ) ® (4^i)) , 

which isanxn Hadamard matrix where n — 2 2m = £ 2 is the number of possible 
configurations for the database. Thus, by Theorem l2.11 we have that no matter 
which measurement the user applies, if the prior distribution of the messages is 
uniform, then the user can learn at most \og£ — m bits in expectation. 

This construction extends the result of Section 12.21 to show a vendor can 
arrange for the user to learn no more than m bits of information, on average, 
about the two m-bit items in the database. 

To make it easy to encode and measure, we can let Aq>, A\ take the form of 
tensor product of m 2 x 2 matrices so that the encoding and measurement can 
be done by single bit operations. One choice with this property is Aq = I and 
A x = W t . 

There are two drawbacks in the above scheme. First, although in expectation 
the user learns m bits, his chance of learning both messages is 1/2 by guessing 
right which encoding the vendor uses. One way to reduce this probability is to 
split d = dn © di2 © • • • © di r and di = d 2 i © d 2 2 © ■ • • © d 2r , where © represents 
bitwise xor. Then the vendor applies the above scheme to the pairs (dn, d 2 i) for 
1 < i < r. The honest user can still learn the message according to his choice. 
But if the user wants to learn both messages, he will have to guess right for each 
1 < i < r which happens with probability l/2 r . 

The other property of our scheme is that the user may choose to learn any 
m bits in the combined message c = dodi, rather than just all m bits of one of 
the two items. This would be useful if the vendor would like to give the user 
the freedom to decide which bits to learn. On the other hand, this property 
may be considered as a violation of security, for example, when the vendor 
would like the user to learn only one item but not even partial information 
about the other item. This is of course impossible to achieve in the information 
theoretic sense. But the following simple scheme may prevent the user from 
learning individual bits of the original message. In the modified scheme, the 
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vendor treats each message as an element in Galois field GF(2 m ) and picks two 
random a ^ 0,6 £ GF(2 m ) and applies the above protocol to the messages 
d' Q = a ■ do + b and d[ = a ■ d\ + b, where •, + are the arithmetics in GF(2 m ). 
At the end, the vendor announces a, b together with the encoding scheme he 
uses. Clearly, an honest user is still able to recover the message according to 
his choice. On the other hand, if the user only learns, for example, a constant 
fraction of the message d' before he knows a, b, intuitively, it is unlikely that 
the user can determine any individual bit of do- 

2.4 Generalized measurements 

Our discussion considered users making conventional projective measurements 
on the states they receive from the vendor. A more general possibility is positive 
operator valued measurements (POVM) 25j. In some cases, such measurements 
can distinguish quantum states with higher probability than any projective mea- 
surement. In this section, we briefly describe these measurements and show they 
provide no benefit in the context of the two-item database described above. 

A POVM consists of a set of iV operators {Ri, ■ ■ ■ , Rn} in an n-dimensional 
Hilbert space. The operators are not necessarily Hermitian, orthogonal or in- 
vertible, and TV may be larger than n. These operators satisfy 

• completeness 

j 

• nonnegativity: for every vector x 

x ] R]R jX > (6) 

For a system in a pure state \ip), measurement gives one of the outcomes 
j = 1, . . . , TV, with probability for outcome j equal to P(j) — (ip\R^Rj\ip) . This 
probability is nonnegative due to the nonnegativity condition, and P(J) = •"■ 
due to the completeness condition. The state after measurement is 

-yL= RM) 

Example. For a projection measurement, the POVM consists of TV = n or- 
thogonal projection operators: Rj — \ej) (ej | = ej-ej where ej is the j th unit basis 
vector of the measurement. The probability to observe outcome j for state \tp) is 
{ijj\ej){ej\ijj) or |(ej|^)| 2 , in which case the resulting state is \ej) (ej\ip) /\(ej\tp)\, 
which is \ej) up to a phase factor. 

In our context of two database items, each with m bits, the Hilbert space has 
dimension n = 2 2m . The vendor picks one of two encoding operators, Eq or Ei, 
and sends the state e = Eid to the user. Suppose the user applies the POVM 
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{Rj}. With probability P(j\d,i) = (EjRjRjEi) dd the user observes outcome j 
conditioned on the vendor's encoding choice i and value of the database d. 

Eq. [3] gives user's inference of the distribution of database values from the 
outcome of the measurement and the vendor's announced choice of encoding. 
The sum in the denominator of Eq. H J2d> p U\ d '^)^ is ^i. E \R]Rj E i) wnich 
equals Tt{r\R 3 ) since Ei is unitary. In particular, this sum is independent of 
the vendor's encoding choice i. We denote this sum by s 2 with s > 0. Eq. [3J 
then gives 

P(d\j,i) = W^ = (Ej&SE i ) dd 

where S = Rj/s so Tr(&S) = 1. 

Let A = SE . Then SE 1 = AU where U = E^ is a Hadamard matrix 
for the choice of encodings described above. Thus P(d\j, 0) = (A'A) dd and 
P(d\j, 1) = (WAUU) dd . 

By orthogonalizing A, we have A^A = 2™=i A r w r uJ where A r > 0, ^ r A r = 
1, and the u r 's are mutually orthogonal unit vectors. For each r we define two 
probability distributions over the values d in the database: p^p = \(v. r )d\ 2 and 
q ( d r) = \(Wv r ) d \ 2 . Then P(d\j,0) = E r ^P d r) and P(d\j, 1) = E r Kq { ? ■ 

By Theorem l2.ll we have H{p^) + H(q^) > \ogn because U is a Hadmard 
matrix. Using this bound and the convexity of the entropy function, we have 

H({P(d\j, 0)}) + H({P(d\j, 1)}) = H W r) ) + ^ (E A ^ W ) 

> J2 x r(H(p {r) ) + H(q {r) )) 

r 

> log n A r = log n . 

r 

Thus Eq. 2] applies to this POVM, giving the same bound as for the projective 
measurements considered above. Since projective measurements can achieve the 
lower bound, we see POVM provides no advantage for the user in this context. 



3 One out of k exchange 

The previous section considered a database of two items. We showed how the 
user could privately learn one item, and no more, when the vendor selects ran- 
domly from two encodings related by a Hadamard matrix and relies on limited 
coherence time to force the user to make a measurement before the choice of 
encoding is announced. 

A natural extension is to a database with k items, each consisting of m bits. 
The mechanism would then allow the user to privately learn a limited number 
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m 


number of bits per item 


k 


number of items in database 


I = 2 m 


number of possible values for each item 


n = 2 km 


number of possible database configurations 


At 


a 2 m x 2 m matrix for encoding one item 


Ci 


annxn encoding matrix 



Table 1: Summary of notation. 

of bits, on average, as well as provide an opportunity to learn all the bits of any 
one item with probability one. Table [T] summarizes our notation. 

The scheme is similar to the case of k — 2. The vendor chooses k encodings 
Co, • • • , Cfe_i in the joint space of do, ■ ■ ■ , dk-i, each m-bit long. The vendor 
chooses one encoding randomly among those candidate encodings to encode the 
items and send to the user. The user measures the state before the vendor 
announces the encoding. We would like the following properties hold: 

1 . For each < i < k — 1 , there exists a measurement Mi such that the user 
learns di for sure after the vendor announces the encoding. 

2. For any measurement M made before the vendor announces the encoding, 
including POVM, the user can only learn at most m bits when averaged 
over the vendor's choice of encoding. 

As an extension to k = 2 case, we consider the following encoding scheme. Let 
Aq, Ai, . . . , Ak-i be £ x £ unitary matrices. Let 

C l = Ai <g> A l+1 <g> • • • ® A fe _i ® A ■ ■ ■ <g> . (7) 

For each < i < k — 1, we use Ci to encode the concatenated string ci — 
didi+i . . .dk-ido . . .di—i, so the corresponding encoding matrix is Ei = CiPi 
where Pi is the permutation giving this reordering of the string. Let Mj — 
A](g) A] • • '(g) A]. It is easy to verify that M 3 d is the tensor product of k 2 m x 2 m 
matrices with the ((j — i) mod fc)-th component being the identity matrix. This 
is coincident with the position of dj in the concatenated string when using the 
encoding matrix Ci. Therefore, if the user applies the measurement Mj and 
later receives the value of i, he learns dj with probability 1, regardless of which 
Ci the vendor uses. It is however harder to guarantee condition 2 which is 
implied from the following property: 

2'. For any unitary vector u £ C" where n = 2 km , 

H 2 (C u) + ■ ■ ■ + H 2 (C k -iu) > (fe-l)logn. (8) 

According to Theorem 12. li when k = 2, this property is satisfied by letting 
Cq = I and C\ = W n . However, we do not know the existence of such matrices 
for k > 2. 
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Given the difficulty of finding matrices that satisfy the condition (2'), we can 
instead consider the case when the user is honest, i.e. the user always applies 
one of the measurements Mq, . . . , M^-i so to learn one of di's for sure. In this 
case, to minimize the information leaked, we would like to minimize L 00 (A J jAi) 
for i ^ j by Theorem 12. II For example, if we can construct a set of k matrices 
Aq, • • • , Afc_i such that A\Aj is Hadamard for any i 7^ j, then the scheme using 
Eq. [7] has the honest user learning no information other than the target item. 
Such sets of matrices exist for k < 2 m + l. Specifically, for any m > 1, there exist 
2 m + l complex matrices Aj's of dimension 2 m x 2 m such that A\Aj is Hadamard 
for any i ^ j 0]. We refer to [S] for a simpler construction. Therefore, using 
the construction in ;5] as the encoding matrices, we can achieve perfect privacy 
for honest users as long as k < 2 m + 1. 

Furthermore, by Theorem 12.11 the encoding of Eq. [7] with A\Aj Hadamard 
for any i ^ j leaks at most km/ 2 = ~ logn bits of information even when users 
pick arbitrary measurements because 

H 2 (C u) + ■ ■ ■ + H 2 (C k -!u) 
= j^iB^^+^M) ( 9 ) 

k , . 

> — log n . by Theorem 12.11 

Hence, the encoding leaks at most logn— iX)i^2(C , J w) < ifogn bits. The 
convexity argument of Section 12.41 applies in this case as well. Thus instead of 
the m bits an honest user learns, for general measurements we have the weaker 
bound where the user could learn up to km/2 bits. 

While we are unable to show any bound other than Eq. [9l by numerical 
experiments with small values of k and m, we observe that the number of bits 
leaked is approximately 0.4fc°- 7 m bits. We note that the lower bound on the 
sum of entropies in |26j , for N + 1 complementary observables in iV-dimensional 
Hilbert space, does not apply to our case where the dimension of the encoding 
matrices is 2 km , much larger than k, the number of matrices. In addition, the 
construction in [9] is easy to implement physically as they are a multiplication 
of a diagonal matrix and the Walsh-Hadamard transform. 

Example. As a concrete example when k = 3, consider three matrices Aq, A\, A 2 
defined as follows. We let Aq = I, A% = ax ® • • • ax, A2 = (X2 • • • ® a-i where 

ai = 75(l -l) a2 = 7l(i <) 

It can be readily verified that ^0,^1,^2 satisfy the property that A\A$ is 
Hadamard for i ^ j. 

The construction in [9j only works when k < 2 ,n + 1. For larger k's, we 
observe that if we simply pick random unitary matrix according to Haar mea- 
sure |13j . then each A\Aj is nearly Hadamard by the following lemma. 
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Lemma 3.1 For two randomly picked £ x £ orthonormal matrices A, B, 
Prob{L oc ( J 4 t B) >t}< M 2 e- tH/2 . 

Proof. The proof follows from the measure concentration result on sphere [TB] . 
That is, for any two randomly picked unit vector u,v, 

Prob{|w- v\ > t} < Ae~ tH/2 . 

□ 

Thus, if we pick k random 2 m x 2 m orthonormal matrices Aq, ■ ■ ■ , Ak-i, 
then 

Prob{3i ^ j L^AlAj) >t} = 0{k 2 2 2m e- t22m/2 ) . (10) 

If we let t > c °^J™ for some constant c > 0, then with high probability, 
L oa (A\Aj) < t for all < i, j < k — 1 and i ^ j. Thus, we have the following. 

Theorem 3.1 For m = f2(logfc), if we pick k random orthonormal matrices, 
then with high probability, for an honest user, the information he learns about 
the other items is 0(fclog(m + log A;)) bits. 

Proof. By Eq. \TU[ the information an honest user learns about any other item 
is m — \ogt 2 = 0(log(77i + log A:)) bits. Thus, in total it is 0(fclog(m + logfc)) 
bits. □ 

One problem with random matrices is that it is hard to realize an encoding 
and perform a measurement. It would be good if each Ai can be further decom- 
posed into the tensor product of smaller matrices. This can be done when k is 
much smaller than m. Let r — £l(2 k m). We pick a random r x r matrix Bi, 
and let Aj, be the m/logr tensor product of Bi. It can be shown by a similar 
argument that an honest user learns o{m) bits of the other items in addition 
to the item he chooses. In the case when k is much smaller than m, r is much 
smaller than 2 m , and it reduces the complexity of encoding and measurement. 

In the above discussion, we consider the natural choice where the number 
of encodings used is the same as the number of items. This, however, does not 
have to be the case. More generally, we can assume that there are K encodings 
where K ^ k. It is possible that by using K > k, less information is leaked. 

To further reduce the complexity, in the above construction, we can pick a 
unitary matrix A and let Ai = A % for < i < k — 1. This way, the encoding and 
measurement are simple as there is only one operator to be implemented. To 
reduce the information leaked, we would like A satisfy the following properties: 
A k = I and A 1 is a Hadamard (or nearly Hadamard) matrix for any 1 < i < ft— 1. 
For k = 3, we can let A be the tensor product of the following matrix: 

e"/ 12 / 1 l\ 

V2 \-i V 
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For general fc's, again we do not know how to construct such A. It would be 
interesting to know whether, for any k and sufficiently large n, there exists an 
n x n unitary matrix A so that A k — I and A 1 is Hadamard for 1 < i < k — 1. 

When the items contain many bits (m is large), another approach is to 
encrypt the items and use the above protocol with the corresponding decryption 
keys (which generally use considerably fewer bits than the size of the encrypted 
items so the quantum mechanism would not have to deal with the large number 
of bits in each item). In this case, the user picks an item by arranging the 
measurement to learn the bits of that item's key. The limit on how much 
information the user can learn would then make it difficult to learn multiple 
items, provided the keys are long enough. For example, with the 2-encoding 
case discussed above, the keys must be long enough that guessing the remaining 
bits when half are known is still not feasible. 

4 Discussion 

In this paper, we described a simple, private database query protocol using a 
quantum communication channel. It's ability to maintain privacy for the vendor 
relies on an assumption of limited coherence times for storing and manipulating 
quantum states. Thus this protocol is not only suitable for early development of 
quantum information technology with limited capability, but specifically takes 
advantage of those limitations. 

Because the user can choose to learn about combinations of bits of the 
database items instead of just a single item for sure, our protocol presents a 
larger range of choices for the user than conventional treatments of oblivious 
transfer. The extent to which this would be beneficial depends on the economic 
context, and associated incentives, in which the protocol is used. One possible 
application is as a component of digital property rights management. Specifi- 
cally, the protocol could be useful in situations where the main economic value 
is from the combined inputs of user and vendor, rather than simply the data 
from the vendor. That is, private computation of a function of both the vendor's 
data and the user's choice as influenced by private information held by the user. 
In this case, with a reasonably large number of items and user choices, even 
if the user were to reveal the result to other potential users, that information 
would likely have low value to the other users unless they happened to wish to 
make the same choice as the original user. Thus those additional users would 
also need to purchase the information from the vendor rather than attempting 
to free ride on a single user's purchase. 

An interesting direction for future study is generalizing the protocol to mul- 
tiple users who have access to additional quantum channels among themselves. 
In particular, in some economic scenarios, users may wish to ensure coordinated 
choices while still maintaining as much privacy as possible. In such situations, 
it would be useful to identify any benefits of the quantum channel among users, 
particularly if limited to pairwise entanglement which is easier to implement 
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than more general entangled states. The potential economic benefits of such a 
protocol should also be compared with that available with using classical cor- 
relation [T^] . Moreover, in practice, the prior distribution of database values 
need not be the uniform distribution we considered and it would be of interest 
to evaluate the consequences of such prior knowledge on the part of the receiver 
of the quantum state. 

Our quantum mechanism can be simulated classically by having each player 
to send a choice of operator to a trusted third party. This observation, which 
also applies to other quantum games 28], means the practical benefit of such 
quantum mechanisms depends on the context of the game, e.g., the differences 
in security and communication costs as well as the level of trust assumed for 
the central institution. For instance, the quantum version allows only a sin- 
gle measurement of the outcome rather than revealing the full database, and 
hence can provide additional privacy for the vendor. Such privacy can also be 
achieved via conventional cryptographic methods but with security based on 
the apparent difficulty of solving certain problems, e.g., factoring, rather than 
inherent in quantum physics. In addition, there is a large overhead when using 
cryptographic methods, especially when the number of bits involved is small. 

Finally, using game theory to evaluate behavior of economic mechanisms 
gives at best approximations of real human behavior. In this case, rationality 
dictates that each individual has a full understanding of the quantum mechanical 
implications of the measurement operator choices. How well this describes the 
actual behavior of people involved in quantum games is an interesting direction 
for future work with laboratory experiments involving human subjects. 
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